ISACA Survey: Wide Gap Between US Consumers and IT Professionals on Internet of Things Security

64% of consumers confident they can control information access of Internet of Things devices, 78% of professionals say security standards are insufficient

Rolling Meadows, IL, USA (14 October 2015) — Is the Internet of Things safe? A new survey from global cyber security association ISACA suggests a major confidence gap about the security of connected devices between the average consumer and cyber security and information technology professionals.

According to the consumer segment of ISACA’s 2015 IT Risk/Reward Barometer, 64 percent of US consumers are confident they can control the security on the Internet of Things (IoT) devices they own. Yet according to more than 2,000 US IT and cyber security professionals who responded to a parallel survey, only 20 percent feel this same confidence about controlling who has access to information collected by IoT devices in their homes, and 77 percent say manufacturers are not implementing sufficient security in IoT devices.

More than three in four US consumers (83 percent) consider themselves somewhat or very knowledgeable about the IoT, and the average estimated number of IoT devices in their home is five. Smart TVs top the list of most wanted IoT device to get in the next 12 months, with Internet-connected cameras, connected cars and wireless fitness trackers also ranked highly.

The Hidden Internet of ThingsISACA’s survey of US IT and cybersecurity professionals depicts an IoT that flies below the radar of many IT organizations – an invisible risk that survey respondents believe is underestimated and under-secured:

50 percent believe their IT department is not aware of all of their organization’s connected devices (e.g., connected thermostats, TVs, fire alarms, cars)

74 percent estimate the likelihood of an organization being hacked through an IoT device is medium or high

62 percent think that the increasing use of IoT devices in the workplace has decreased employee privacy

The IoT for business-to-business use alone is expected to expand from 1.2 billion devices in 2015 to 5.4 billion connected devices worldwide by 2020, according to one estimate.*

“In the hidden Internet of Things, it is not just connectivity that is invisible. What is also invisible are the countless entry points that cyber attackers can use to access personal information and corporate data,” said Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, international president of ISACA, group director of Information Security for INTRALOT. “The rapid spread of connected devices is outpacing an organization’s ability to manage it and to safeguard company and employee data.”

However, the business risk of not embracing the IoT and falling behind competitors may well outweigh any potential cost of a cyberattack, noted Dimitriadis. He added that organizations need to manage the risk to achieve the most benefit.

According to US cyber security and IT professionals surveyed, device manufacturers are falling short. Seventy-seven percent say they do not believe that manufacturers are implementing sufficient security measures in IoT devices. A nearly equal proportion (78 percent) don’t think current security standards sufficiently address the IoT and believe that updates and/or new standards are needed. Privacy is also an issue; 88 percent believe that device makers don’t make consumers sufficiently aware of the type of information the devices can collect.

ISACA’s consumer research suggests that US consumers are likely to value businesses that can demonstrate their expertise in and commitment to cybersecurity best practices: fully 89 percent of US consumers say it is important that data security professionals hold a cyber security certification if they work at organizations with access to the consumers’ personal information.

“Device manufacturers should lead the charge on adopting an industry-wide security standard that addresses IoT security, and put in place rigorous security governance and professional development for their cyber security employees. ISACA’s research shows a direct connection between positive customer sentiment and companies that can demonstrate security credentials,” said Robert Clyde, CISM, international vice president of ISACA and managing director of Clyde Consulting LLC.

About the Risk/Reward Barometer

The annual IT Risk/Reward Barometer is a global indicator of trust in information. Conducted by ISACA, the Barometer polls thousands of IT and cybersecurity professionals and consumers worldwide to uncover attitudes and behaviors about essential technologies and information, and the trade-offs people make to balance risk and reward. The study is based on online polling of 7,016 ISACA members in 140 countries from 27 August to 8 September 2015. Additional online surveys were fielded by M/A/R/C Research among 1,227 consumers in the US, 1,025 consumers in the UK, 1,060 consumers in Australia, 1,027 consumers in India and 1,057 consumers in Mexico. The US survey ran 17-20 August 2015, and the UK, Australia, India and Mexico surveys ran 21-30 August 2015. At a 95 percent confidence level, the margin of error for each individual country sample is +/- 3.1 percent. To see the full results, visit www.isaca.org/risk-reward-barometer.

About ISACA

ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity Nexus (CSX), a holistic cybersecurity resource, and COBIT, a business framework to govern enterprise technology.